问题描述
我要实现的目标
通过Azure功能连接到位于防火墙后面的Azure BLOB存储帐户.
Connect to an Azure BLOB storage account that sits behind a firewall through an Azure Function.
到目前为止已采取的步骤
- Azure功能已开发并针对可预期工作的公共存储帐户进行了测试.
- 针对我的Azure功能,按照 Azure资源浏览器,我发现出站 strong>地址(
"outboundIpAddresses"
条目),然后将它们添加到存储帐户的防火墙中.
- Azure Function developed and tested against public storage account which works as expected.
- Following Azure Resource Explorer for my Azure Function I find out the outbound addresses(
"outboundIpAddresses"
entry) and I add them in the firewall of the storage Account.
问题
当尝试使用防火墙对存储帐户运行Azure功能时,我得到了Status: 500 Internal Server Error - This request is not authorized to perform this operation.
While trying to run the Azure Function against the storage account with the firewall I am getting a Status: 500 Internal Server Error - This request is not authorized to perform this operation.
我在这里想念什么?
推荐答案
您目前无法在此处实现所需的功能.当您从功能中访问存储帐户时,由于它们彼此位于同一区域,因此所有流量都流经内部IP上的内部Azure网络,而不是Web应用程序中列出的公共IP,因此不允许防火墙(我已经得到Azure支持人员的确认).因为您无权访问该功能的内部IP,并且即使您可以对其进行更改,也无法将其列入白名单.
You won't be able to achieve what you want here currently. When you hit the storage account from your funciton, because they are in the same region as each other, all the traffic goes over the internal Azure network on internal IP's, not the public IPs listed in the web app, and so is not allowed over the firewall (I have had this confirmed by Azure support). Because you don't have access to the internal IPs of the function, and even if you did they can change, you can't whitelist them.
如果您的资源位于不同的区域,则流量将通过外部IP,您将获得更大的成功.
If your resources were in different regions, traffic would go over the external IPs and you would have more success.
这篇关于Azure Functions对Azure存储帐户防火墙的访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!